# HG changeset patch # User Michael Spacefalcon # Date 1384230527 0 # Node ID 277fd7b971f0589adae5fbc00bec99ce5fbb6557 # Parent fdfb57a1c5fe55c564704a302a5701d021177192 some success in finding familiar TI code in moko11 and Pirelli fw binary images diff -r fdfb57a1c5fe -r 277fd7b971f0 moko11 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/moko11 Tue Nov 12 04:28:47 2013 +0000 @@ -0,0 +1,28 @@ +The Init_Target() function in the TCS211 code from Sotovik (which sits in a +binary lib with no source!) programs nCS0 and nCS1 memory timings with WS=3. +We would like to determine whether or not the moko11 firmware does the same +thing. We have no linker map file for moko11, so we have to dig around in the +binary and try to match the code against known objects. + +In the Sotomodem version of Init_Target(), at offset 0x60 from the beginning of +the function there is a BL instruction calling $CLKM_InitARMClock, and this call +is immediately followed by the code that sets up the memory timings. + +Let's see what we can find in the moko11 binary image: + +0012D4: RESET vector jumps here +010000: the code here appears to fully match the .inttext section of + TI's int.obj +010058: appears to be the _INT_Initialize entry point + (seems to be the same for all TI firmwares of that era) +010268: b 0x1e8364, should be a jump to the _INC_Initialize veneer +1D1E48: first function called from Application_Initialize, should be + Init_Target() + Matches the Sotomodem version of Init_Target() indeed, + including the memory timing setup! +1E72B0: Expected start of $INC_Initialize, appears to match +1E72F4: bl 0x1e81fc, should be calling Application_Initialize() +1E81FC: Expected start of Application_Initialize(), contains 6 calls indeed +1E8364: looks like an ARM->Thumb call veneer indeed +1E8370: Thumb code begins, does bl 0x1e72b0 +1E8378: back to ARM, veneer return diff -r fdfb57a1c5fe -r 277fd7b971f0 pirelli/firmware --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/pirelli/firmware Tue Nov 12 04:28:47 2013 +0000 @@ -0,0 +1,23 @@ +Following on the success of our match of moko11 disassembly against some known +objects (see ../moko11), let's try doing the same thing with Pirelli's fw. + +Let's see if the code in Pirelli's fw at 0x40000 matches .inttext from TI's +int.obj: so far, so good! Let's see how far we can get: + +040000: beginning of match with .inttext in TI's int.obj +040268: b 0x3f6b40, should be a jump to the _INC_Initialize veneer +3BB7D4: first function called from Application_Initialize() + the logic of Init_Target() is recognizable, but it's a modified + version, not the same object blob as we have + the setup of memory timings matches that done by OsmocomBB! +3F11F8: this should be Application_Initialize() + differences begin: instead of 6 function calls, there are 12, + with one of them conditionalized on the return value of the previous +3F3E74: expecting to see $INC_Initialize here - yes! +3F6B40: looks like an ARM->Thumb call veneer indeed +3F6B4C: Thumb code begins, does bl 0x3f3e74 +3F6B54: back to ARM, veneer return + +data objects: + +01775048: INC_Initialize state variable